Dive Brief:

• Cryptocurrency ransomware payments fell from a record $1.25 billion in 2023 to nearly $814 million in 2024, a report released Wednesday by Chainalysis showed.
• The 35% year-over-year decline in payments comes despite an increase in the second half of 2024 in "ransomware events," or when cybercrime gangs call out victims in data leak sites.
• Chainalysis noted that the decline occurred despite observing some "exceptionally large" ransomware payments, such as the record-setting $75 million payment to Dark Angels last year.

Dive Insight: 

Chainalysis attributed the steep decline in ransomware payments to several factors, including significant actions from law enforcement agencies across the globe. For example, an international coalition of law enforcement agencies last February conducted the first phase of "Operation Cronos," which disrupted the prolific LockBit ransomware gang. Authorities seized LockBit's infrastructure, cryptocurrency accounts and decryption keys. In later phases of the operation, law enforcement agencies arrested several alleged members of the gang and indicted the alleged ringleader, Russian national Dimitry Yuryevich Khoroshev.

"LockBit, which was disrupted by the United Kingdom’s National Crime Agency (NCA) and the U.S. Federal Bureau of Investigation (FBI) in early 2024, saw H2 payments decrease by approximately 79%, showcasing the effectiveness of international law enforcement collaboration," Chainalysis said in the report.

Additionally, Chainalysis highlighted law enforcement actions and government sanctions against cryptocurrency laundering services or "mixers" such as Tornado Cash and Chipmixer. The blockchain analytics firm observed a "substantial decline" in mixer usage among ransomware gangs, which typically received 10% to 15% of ransomware payment-laundering activity each quarter.

In place of mixers, Chainalysis said more ransomware operators are opting to store payments in personal wallets or use cross-chain bridges to "off-ramp" payments to other types of cryptocurrency.

The 35% drop also is due to "improved victim resilience" and a growing number of organizations refusing to pay ransoms, Chainalysis found. "Crackdowns and collaboration with incident response firms and blockchain experts helped disrupt many ransomware groups, reducing their profitability," the company said. "Victims also demonstrated greater resistance to ransom demands, widening the gap between demands and payments."

Despite the disruptions caused by law enforcement actions, Chainalysis warned that threat actors continue to adapt and change tactics. The report noted that new ransomware strains have emerged from leaked or purchased code as well as rebranded ransomware-as-a-service operations in order to evade law enforcement and cybersecurity companies.